Leveraging Segmentation to Secure IoT

The rapid deployment of IoT devices has had a significant and lasting impact on the security of today's evolving network. BYOD, the first significant infusion of IoT devices begun over a decade, was focused mainly on user-owned devices such as mobile phones and laptops. Even then, as system administrators began to wrestle with ways to integrate unsecured and unprotected devices into primarily closed networks, cybercriminals quickly began exploiting this new attack vector.

IoT is accelerating at an unprecedented rate

Fast forward to today, and the problem has been compounded many times over. Users have replaced cellphones with smartphones that run more applications than anyone ever imagined. Meanwhile, other smart devices, such as wearables and tablets, continue to expand, with some experts estimating that there will be seven devices per person connected to networks by 2020.

End-user devices, however, are just the tip of the iceberg for system administrators. Other IoT devices are proliferating inside networks at an unprecedented rate as well, ranging from smart appliances and inventory trackers to connected medical and OT devices. This expansion is a key driver behind the growth of Big Data, and is responsible for a significant increase in networking traffic. Experts suggest that global mobile data traffic, generated by nearly 32 billion connected IoT devices in 2023, will grow at a CAGR of 43%.

Most IT security architectures are unprepared

Because most of this data is in the form of applications and transactions that need to move between a variety of networks, including multi-cloud environments, most of it will also be encrypted. While traditional data volume alone will soon overwhelm most security devices currently in place, encryption adds another layer of complexity as the performance of nearly every installed security solution on the planet is already severely crippled when SSL traffic is inspected. And yet, that will soon be the primary function of most edge and internal security devices.

For organizations competing in the emerging digital marketplace, the failure of security to keep up is unacceptable. Even worse, experience shows that users will always find ways to bypass security that becomes a bottleneck. For security teams, slowing things down in order to adequately apply security inspections and protocols is not an option. And yet, given the fact that security budgets are not keeping up with demand, upgrading to the handful of security devices that can actually handle such performance requirements is out of reach.

And even then, the challenge is complicated further because organizations also need to ensure consistent security policy enforcement as data moves across and between network domains, which means that organizations will also need to deploy tools with identical features and function across a variety of networked ecosystems.

Leveraging segmentation to secure IoT

The answer is to work smarter. A critical strategy for achieving this objective is to implement a comprehensive segmentation strategy. Implementing such an effective IoT security strategy requires three fundamental steps:

1. Establishing Broad Visibility – The biggest challenge facing most organizations is simply identifying and tracking all IoT devices connected to the network. Network Access Control allows organizations to authenticate and classify IoT devices securely. Real-time discovery and classification of devices at the point of access allows IT teams to build risk profiles and automatically assign IoT devices to appropriate device groups, along with associated policies.

2. Segment IoT from Production Networks – Once the network has identified IoT devices, IT teams then need to establish IoT attack surface controls. Segmenting IoT devices and related communications into policy-based groups and secured network zones allow the network to automatically grant and enforce baseline privileges for specific IoT device profiles. While inventory management tools can track these devices, and behavioral analytics can monitor their behavior, Internal Segmentation Firewalls (ISFW) need to be applied to enable organizations to not only quickly and dynamically establish and control network segments but also inspect applications and other traffic that need to cross segmentation boundaries.

3. Protect the Network – Establishing policy-driven IoT groups and then combining them with internal network segmentation enables multi-layered monitoring, inspection, and enforcement of device policies based on activity, regardless of where across the distributed enterprise infrastructure they have been deployed. An integrated and automated security framework then enables traditionally isolated security devices to correlate threat intelligence as IoT traffic traverses the network—even between devices deployed across different network ecosystems. These integrated tools can then automatically apply advanced security functions to any IoT devices or traffic that begins to misbehave, anywhere across the network, including at access points, cross-segment network traffic locations, and across multi-cloud deployments.

Organizations can no longer afford to treat IoT devices as an isolated or independent component of their business. IoT devices and their related data interact with other devices and resources across your extended network, including endpoint devices, multi-cloud environments, and increasingly interconnected IT and OT networks.

Traditionally isolated IoT security solutions not only increase overhead and reduce visibility but are utterly incapable of keeping up with the volume of traffic that today’s IoT devices are beginning to generate. To adequately protect networks and the IoT, organizations require a broad security architecture that can span networked environments, powerful security tools that can dynamically segment IoT devices while inspecting their encrypted traffic at network speeds, and deep integration between security solutions to correlate threat intelligence and automatically respond to detected threats, anywhere across the distributed IoT network.

John Maddison is Sr. Vice President, Products and Solutions at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.